CVE-2024-38460 — SonarQube logs sensitive information

Description

In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).

How to fix CVE-2024-38460

To remediate CVE-2024-38460, upgrade the affected package to a fixed version below.

—upgrade to 9.9.4 or later

Is CVE-2024-38460 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 9.9.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-38460
PATCHgithub.com/SonarSource/sonarqube
WEBcommunity.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187
WEBgithub.com/SonarSource/sonarqube/commit/48f43d6a3bf9bbd7c9b58eb5cde635572184ad01